HTTP/2 Now Available on all shared/cloud servers at SiteGround

The Internet as we all know it today wouldn’t have existed without the HTTP protocol. It is the heart and soul that pumps content to all of us. It makes it possible for us to read the latest news, order stuff online, watch videos on YouTube and get to our favourite websites on all types of devices - workstations with 27-inch displays, laptops, mobile phones, tablets and even e-readers that offer browsing capabilities. Sadly, that protocol has not been changed since 1999 when version 1.1 was released so, when HTTP/2 was released earlier this year, it was a source of major excitement. Of course, the SiteGround team has immediately started working on it and we are now happy to announce that all our shared and cloud servers support HTTP/2.

Why HTTP needed an update?

Modern websites/apps make hundreds of HTTP requests and HTTP 1.1 is not well designed for the performance needs of the modern web and the constantly growing requirements of the users. During the last 16 years many new technologies emerged and web developers got really creative in terms of going around and jumping over the limitations of HTTP 1.1. However, it was time for the protocol itself to change and introduce some new features that will speed up all sites on the Internet.

What’s new in HTTP/2?

HTTP/2 is based on SPDY and is focused on performance improvements. It offers the following enhancements:

Multiplexing For Faster Data Transfer

Modern websites/apps require the web browsers to make many request to render a web page. In the beginning HTTP/1.0 allowed only one request to be made via a single TCP connection. With HTTP/1.1 this was addressed so browsers can make multiple requests to load many resources simultaneously. Unfortunately, another problem called head-of-line blocking was not resolved.

When HTTP/1.1 is used the requests flow is usually the following: the browser sends a request and needs to wait for the response of the server in order to send the next request. Modern websites have over 100 objects and even when browsers use multiple connections this way of handling requests can add up a lot of time because of head-of-line blocking.

The solution introduced in HTTP/2 is called multiplexing. It gives us a simple way to request and receive multiple web objects at a time through a single connection. It is the solution for the head-of-line blocking problem. HTTP/2 resolves this problem by using frames. Every frame contains meta information about requests/responses which allows one connection to be used for simultaneous delivery without causing confusion about which response is associated with which request. Here is an example how HTTP/2 handles the same three requests that we showed in the previous diagram:

As you can see from the second diagram when HTTP/2 is used the user sends multiple requests and can receive them in whatever order. Thus, pages load faster. For example, the server needed more time to handle the second request but the delivery of the third object was not blocked.

Compression Of Headers For Transferring Less Data

The second big improvement added by HTTP/2 is related to HTTP headers. Clients use headers to inform servers what information is needed and in what format the information could be delivered to them. For example, a web browser usually sends headers to inform the servers that it supports gzip compressed data. Cookies are also communicated via headers and the size of some cookies can get really big.

The problem is headers do not change much between requests. Also, with HTTP/1.1 headers have to be provided for every single request, which of course is pointless when headers do not change. Now HTTP/2 not only sends headers per connection, but it also offers compression. This means that an average web page that contains ~80-90 objects can now be loaded much faster because the web browser will need just one round trip to send all of the headers for all of the objects.

Prioritization For Proper Page Rendering

The third problem which HTTP/2 solves is caused by multiplexing and headers compression. Some objects are more important than others. For example, the CSS objects for a site should be delivered in the beginning, so that the site could be properly displayed. If multiplexing is used you cannot be sure that the CSS will be delivered before the rest of the objects.

The designers of the protocol, decided to address this issue in the protocol itself. Clients are able to communicate with the server and indicate priorities for certain objects and this way the web servers can make decisions about which objects should be delivered first to the clients. Since the protocol itself supports prioritization this means that web developers should not worry about changes that need to be made to their apps. The modern web browsers will take care of prioritization and handling of data streams in HTTP/2.

HTTP/2 Needs SSL/TLS

All web server implementations support HTTP/2 when it is used over an encrypted connection. This means you need an SSL for your website in order to take advantage of HTTP/2.

Is HTTP/2 already in use?

HTTP/2 is already alive and you have probably already using it on your end if you’re using a modern browser such as all of the latest versions of Chrome, Firefox, Opera and Edge support HTTP/2.

Now all SiteGround shared/cloud servers support HTTP/2. Please note that clients that have private SSL certificates (see above: encryption is a must when HTTP/2 is used) can immediately take advantage of the new cool performance optimizations offered by HTTP/2.

My challenging job is closely related to all kinds of Free and Open-Source Software products (some of my favorites are WordPress, Joomla!, Magento, Varnish and Apache mod_security). As a Web security and performance freak I am always hyper focused on solving all kinds of issues and improving our services.

Great explanation of what HTTP/2 is capable of, thanks.
The speed enhancements overall are actually something to look forward to.
I'm off to ask our host about this and whether we will/already have it.

You don't need to do anything on your end - the web server (Nginx) and the clients' browsers will do the magic for you. The only requirement is for you to have a private SSL certificate installed on your account.

November 10, 2015 / 01:42BadanSiteGround Team

"The only requirement is for you to have a private SSL certificate installed on your account."

I have a SSL certificate installed on one domaine only on my account. So this means that the others domains will not work on HTTP/2 ?

November 10, 2015 / 01:53Daniel KanchevSiteGround Team

Yes, that is correct. The only domain name which will work over HTTP/2 will be the one that uses a private SSL.

According to this blog post by Cloudflare they are still testing HTTP/2 on their servers and right now it is still not publicly available. However, I am sure that soon they will have it available for all of their clients.

I am afraid that at this stage every shared hosting account (GoGeek, StartUp and GrowBig) can use only one SSL certificate. Thus, if you want all of your sites to use HTTP/2 then this means that for every site you need to get a separate hosting account with a private SSL certificate for the domain name in question. The other option is to get a cloud server and create separate cPanel accounts for all sites on the cloud server.

eMail security issue, will the new upgrade stop the warnings about the siteground security certificate. I have 3 different shared accounts and this warning is totally embarrassing to explain to our clients. If this isn't going to fix the wildcard issue.. WHEN???
The Hosting is great... the Support is GREAT...The email is NOT.

HTTP/2 has nothing to do with the setup of our email servers. We do support SMTP over SSL/TLS and IMAP/POP3 over SSL/TLS. If you have more questions about the exact SSL/TLS setup of our servers please open a support ticket via your SiteGround.com User Area.

The GrowBig plan allows you to get a free SSL for one domain name for 1 year. After that the SSL upgrade becomes paid. I am afraid that once you get the free SSL you cannot change it to be valid for another domain name. Please post a support ticket for more information.

I understand that I would need a SSL cert per domain - can you confirm that any WP installs need to be fully SSL compliant also? That is, there are some themes/plugins that don't play so well when going via https...
thanks

Clive, my personal recommendation is to reconfigure your whole site to use HTTPS. If for some strange reason your WP theme does not support HTTPS then you should contact the developers of the template and ask for assistance. As you probably know last year Google decided to add another metric to their ranking algorithms and this is page encryption:

Thus, my advice for you if you have a private SSL is to configure your site to work entirely via HTTPS. If this is not possible then you'll be able to use HTTP/2 only for some parts of your site (the ones that work via HTTPS).

By default we use Apache on our dedicated servers and our version of Apache does not support HTTP/2. HTTP/2 is enabled by default if you order the SuperCacher performance booster upgrade for your dedicated server. The booster upgrade will install Nginx on your dedicated server and HTTP/2 will be enabled by default. For more details please post a support ticket.

I read that it is possible to have multiple domains on the same IP address using an SSL certificate using Server Name Indication (SNI). That would make it possible to have HTTP/2 for all sites on a gogeek account. Is this something that will be possible in the (near) future?

We are considering using SNI + letsencrypt.org in order to allow people to install multiple certificates on one hosting account. I hope that soon we'll be able to do this on our shared servers. Unfortunately, until then you need a private SSL certificate issued by a vendor in order to take advantage of HTTP/2.

November 11, 2015 / 13:53WouterSiteGround Team

That's good news! Will we be able to install the certificates ourselves? And will you support automatic renewals? I read the letsencrypt certificates are valid for 60 days.

November 30, 2015 / 08:30Hristo PandjarovSiteGround Team

I am afraid we're a bit too early in the development process to tell you that with certainty but keep an eye on the blog, we will definitelly post about this 🙂

Hi! Will getting a personal SSL certificate switch current http protocol to https one afterwards? And what about site SEO, will rankings be effected after switching from http to https? Is higher site performance worth worse site rankings and traffic positions?

Having an SSL just allows you to switch over https. Whether you will do it or not is up to you. As to yourother question, the SSL certificate should have positive effect on your SEO because it's one of the thousands things google check in their ranking algorytm.

"SPDY Protocol Not Enabled!
Seriously? This SSL/TLS server is using the NPN Entension to tell browsers it supports alternative protocols, but SPDY is not a protocol it supports. The server is not making SPDY an option. Since all the pieces are in place, hopefully it will be easy to enable SPDY support with this server."

It seems to be poking fun at us for having all of the SPDY components and other advanced tech, but not also activating good ol' spdy. Can we fix this in some way?

Hi David and thanks for the kind words 🙂 The spdycheck.org site probably checks only for SPDY and not for HTTP/2. Since HTTP/2 is more mature than SPDY I think that you can safely disregard the warnings displayed by spdycheck.org.

Do you have done any benchmarks on how much speed increase is possible with a WordPress website? I understand that it depends on the amount of connections e.g.images, scripts etc. But maybe a ballpark number...

Pingdom, GTMetrix, there are a lot of free services for this out there.

November 19, 2015 / 11:27Thomas HeroldSiteGround Team

I am referring to your hosting company and not to other services. In order to test it I have to buy a SSL certificate first. So, again the question in plain English: Have you done some testing on websites hosted with your company?

November 30, 2015 / 08:34Hristo PandjarovSiteGround Team

We constantly perform such tests in-house. However, there are way too many variables in those and haven't "packed" those tests in a presentable way. In addition, we provide free SSL certificates with our GoGeek accounts but if it's just for the test, you can always use a self-signed one. The impact on the loading speeds is the same, no matter if the certificate is signed by a thrusted authority or not.

I'm amazed, though, how you guys have been able to hack modernity into it. I believe you're probably the most advanced Cpanel based host out there. You could use that in your ads, maybe... let people know they can take any Cpanel site, import it to SG, and really make it fly 🙂

November 30, 2015 / 08:31Hristo PandjarovSiteGround Team

Yep, it has a lot of great functionality but a handfull of limitations too and we can't hack around everything 🙁

Hi Luis and thanks for your comment! We are considering using SNI + letsencrypt.org in order to allow people to install multiple certificates on one hosting account. I hope that soon we'll be able to do this on our shared servers. The technical implementation is the easy part. However, before we officially add SNI support we would like to perform extensive tests to make sure that everything will work as expected.

We use a custom Nginx version which has been compiled by our colleagues from the DevOps department. The custom version is a stable release of the popular web server and it offers HTTP/2 support. We release new versions of our own Nginx when new features are added to the official Nginx releases.

Hello Daniel and thank you very much for this feature, this article and all your replies.

I have a SSL certificate (provided by GlobalSign via Siteground) for one of my main domains on my Cloud server (I believe it's included also after 1 year), and for this I understand I don't have to do anything (except to make my default WP url https now), and it's already supported.

Now I have a question about all the other domains which are pointing there. Some have their own cPanel accounts, and some are addons or parked domains on top of them. And it's constantly changing as I add a domain when I get a new client on my WP Multisite.

In one of your replies, you mention you will offer soon possibility of SNI with letsencrypt certificates.

Q2 : And can I add multiple domains for all my addons/parked domains, in all the cPanel accounts (not only main) ? and how?

Q3 : And should I replace the one provided by GlobalSign, for my main domain by one also from Letsencrypt in order to have them all SNI?
Maybe that's too many questions and I should open a support ticket? but I thought other readers might be interested to read this.

Hi Patricia and thank you for all the questions! For now you should keep the GlobalSign SSL certificate. We are still working on the LetsEncrypt implementation for cPanel. Once it is ready you'll be able to use a tool which will allow you to setup new SSL certificates directly from the cPanel. This means that currently you cannot take advantage of HTTP/2 for all of your domains. However, this will change once we finalize the SNI + LetsEncrypt implementation. There will be probably a new blog post once this is done. Thanks for your patience!

December 15, 2015 / 16:29Patricia BTSiteGround Team

Thank you very much for your detailed reply, Daniel. Looking forward to that feature 🙂

Well, if the browser does not support it, it won't be able to load the page.

May 20, 2016 / 09:01VanceSiteGround Team

Are you sure it doesn't fall back to HTTP/1.1 or SPDY in your environment?

May 26, 2016 / 01:17Daniel KanchevSiteGround Team

During the first request the browser and the server will exchange information about which version of HTTP is supported by both and then the site will be loaded. This means that if your browser supports only HTTP 1.1 then the site will be loaded via 1.1.

Yes, there's been a demand for this feature and we'll do our best to make it available right after the New Year 🙂

January 5, 2016 / 23:45Brian BestSiteGround Team

Do you have an ETA on this. Some of my clients are requesting this and some sites I'm holding off from migrating from UKWSD into my GoGeek account due to the 1 ssl cert limit per account.

January 5, 2016 / 23:46Brian BestSiteGround Team

Also as a side note, i was getting my head around the 1 ssl cert per account on GoGeek with your support team and pre sales team this morning and no-one mentioned that it was being worked on and to sit tight.

January 6, 2016 / 02:26Hristo PandjarovSiteGround Team

Both are part of a single project that I really hope we will complete in less than a month...fingers crossed here because it requires tons of testing and hard ETA is difficult to give.

once the SNI + LetsEncrypt integration happens, will you still need a dedicated IP on your account? I think right now, it's a $30 setup fee for a 3rd party SSL cert, a $30 setup fee for a dedicated IP, plus the yearly cost of the dedicated IP.

I'm assuming since LetsEncrypt is a 3rd party cert, there will still be a setup fee? If so, if you have multiple LetsEncrypt SSLs that you want on the same account, will there just be one setup fee or will there be a separate setup fee for each cert?

No, LetsEncryp will be completely free of charge and you will not need a dedicated IP address to use those certificate. Dedicated IP addressess will remain requirement only for the regular SSL certificates that we provide to our customers.

January 25, 2016 / 08:07Gregg DavisSiteGround Team

Thanks for the clarification Hristo - Having just upgraded to a Cloud account, I have a question about the dedicated IP fro SSL and HTTP/2. As I set up client websites on my cloud account, each with their own cpanel, will I need to purchase a dedicated IP (and the private certificate) to provide HTTP/2 for each of them?

January 25, 2016 / 13:25Daniel KanchevSiteGround Team

Hello Gregg and thank you for the excellent question! Once we are done with the implementation of Let's Encrypt our systems will also become fully SNI compliant. This means that you'll be able to install more than one SSL per IP address. For more information about SNI check the following Wikipedia article:

Hello Henry, once you install Let’s Encrypt, the visitors who access your website through https and use a modern browser that supports HTTP/2 will receive your content served through faster HTTP/2 protocol.